I have deployed two applications onto the glassfish server, each of which uses its own security realm (file, jdbc). The problem is that the glassfish allows only one default realm to be set which results in only one application to be functional at a time. I'm a newbie with the glassfish so I might be missing something fundamental or should approach this problem differently (do I need a separate domain for each of mine applications to be able to set the security with specific realm?).
Any suggestions would be appreciated.
Thank you.
It's possible to create more file Realms in the same GlassFish domain, you simply have to specify a new file name for the keyfile storing the users / passwords information. You can follow this tutorial if you wish.
Concerning the other part of the question, you can also consider to use a LDAP server, which is a scalable and more general solution, because it can be used also by other applications inside the same firm. You can use OpenLDAP or OpenDJ for example, and use JNDI API for letting your applications access the LDAP realm.
Here you can find a JNDI and OpenLDAP Tutorial, but you can easily find other tutorials around on the subject.
Related
I want to build a web application with JSF where I use JAAS for authentication.
I will run the application on Glassfish v4 and I want to use a custom realm/login module to have my user credentials stored in a database and moreover having the passwords salted and hashed. As far as I know the JDBCRealm of Glassfish does not give me possibility to have the passwords salted.
I already found resources on how build such login modules and security realms for it.
Now I reached a point where I still have too many questions open and no answers found on the web.
My first question now is more like a conceptual question.
So for me it actually seems like a disadvantage if I use JAAS since that would require me to write custom realms and login modules for each application server I want my application to be deployed to.
I mean I see the advantage to have the authentication seperated but still it seems quite a bit of extra work compared to a solution where I would do the login procedure on my own.
Since I could also do the access control using custom filter in JSF this seems to be a more universal way because there is no extra effort when I change the application server.
Do I miss something here?
This also leads me to another point. Is there a way to perform the login procedure by myself but assign the current user specific roles in the context of JAAS during my custom login?
Another question: I have seen that it is also possible to create/update/delete users with a custom realm which sounds awesome for my needs... Sorry if this is a kind of a noob question but I still could not figure out how to retrieve the JAAS realm from within my JSF application...
I am trying to Implement clustering in liferay 6.2 using below Link
https://www.liferay.com/en_GB/documentation/liferay-portal/6.2/user-guide/-/ai/liferay-clustering-liferay-portal-6-2-user-guide-20-en
I had put below properties in both liferay server's portal-ext.properties and Pointing both Liferay server to same Database.
cluster.link.enabled=true
cluster.link.autodetect.address=localhost:3306
lucene.replicate.write=true
Now I added one portlet to a page from first Liferay instance and accessing the same page from Second Liferay instance(Using same userID) i am getting error message stating "Invalid authentication Token".It seems to be session replication problem in Cluster but not able to figure out how to resolve this.
Looking for help to figure out whats going wrong.
Thanks in Advance.
You have a severe problem in your configuration, despite the already accepted answer (which I mostly disagree with).
You'll have to set up proper clustering on Liferay. In order for Liferay to find "the other" node, it uses Multicast (by default). And if you have multiple network cards but want/need one specific network card to be used for detecting the other node, you'll give the cluster.link.autodetect.address. Liferay will use this to see which network adapter is used (by your OS) to connect to that address and then use the resulting network adapter. If you have only one adapter, the default value www.google.com:80 is good. If you set this to localhost, Liferay will try to communicate with your other node(s) on localhost, thus only succeed if you have two Liferay processes running on the same machine - otherwise you'll have no cache synchronization at all.
As of the principles of Liferay Clustering, I'd recommend to go to the User's Guide and specifically not do session replication (e.g. the tomcat-configured session replication). 95% of users don't need it, it adds significant overhead to processing, eating the performance benefits of the second server. And while you're at it: Check some common pitfalls when clustering Liferay (but beware: There are more)
Edit: To answer your "Invalid Authentication Token" question: My advice is to implement sticky sessions - e.g. balance the session creation to a certain machine, then stick to it. The Authentication token is used for mitigating CSRF attacks. Not having it implies that your session replication doesn't work correctly. As I've laid out above, I don't recommend enabling session replication, thus sticky sessions are your best option IMHO.
Session clustering is implemented in Application Server, not in Liferay. You have either configure it manually on your AS, or enable sticky sessions on your Load Balancer.
There is a lot of articles about how to do it in Tomcat:
In Tomcat documentation
Liferay wiki
Te second article is very heavy, as far as I remember to run the basic session replication, all you need to do is to enable SimpleTcpCluster in tomcat configuration and add <distributable /> to web.xmls of all your web applications.
I am about developing a web application using jsf 2.0 and netbeans 7.1
so I want to authenticate users before they can access the application
My question know is how can I be sure of that user along his "session"?
I searched and found that I have to use session beans but I didn't get
the "remedy" of my problem
thanks for help
the answer really depends on your requirements. the simplest solution would be to use container managed authentication (via JAAS). all j2ee/servlet containers support this, but some implement it "their own way", so you have to check the docs. i know for tomcat and jboss, it's very simple to turn on and (assuming you configure your web.xml properly) just trust that if they are loading your pages, the session is authorized. you might want to bulk up the question with some of your requirements. that will really spur people to give you a much more concrete answer than i'm providing.
TIA
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.
I'm working on a filter to be put in front of a Java application. This filter already is responsible for setting the user name in the remote user variable (in order for the application to do a request.getRemoteUser() call).
I'd like to also set the roles of the currently logged user from a custom call to an LDAP (not requesting user groups but other specific attributes).
How can I achieve that?
If you write a custom LoginModule, you can authenticate the user yourself, as well as populate the user's roles based on what is in LDAP. If you specify your application server, I could provide more specific information.
OK, LoginModule. It looks like it's what I was looking for... (Filter does not provide the needed functionalities regarding EJB, only servlets)
What specificities are they between different App Servers? Isn't there a core Java EE LoginModule specification that is suported by all servers? (at least WAS and jBoss I would say)
Thanks for your help anyway!